openssh / prngd unresolved bug since 2002, need help

David Beecher dbeecher at dmsgs.com
Sat Jul 12 02:58:05 EST 2008 

Hello,

I apologize if this is the wrong list. It was the list I was directed 
towards. I have reviewed the archives as well as everything I could 
google before posting. Any help is most appreciated:

We're seeing an error during sftp and ssh connections with consistent 
regularity. It's triggered by a high number of connections coming into 
sftp/ssh at the same time. It affects additional connections and leaves 
the failed connect attempts open for days in a TCP_WAIT state. We're 
seeing the error in the system logs:

openssh session hanging - prngd[671]: write() in socket_write() failed: 
Broken pipe

This appears to be an issue that has been an unresolved  problem with 
prngd since 2002.  Some have attributed the problem to prngd version 
0.9.26 (2004) but we are seeing it with version 0.9.25 (30 May 2002) as 
have others that we've seen on the web.

The problem appears to be (we are quoting here):

-- snip --
  When lots of processes query entropy at the same time, the "fairness"
  change introduced in 0.9.25 could lead to clients being only served with
  a delay.
  Reason: in serverloop.c the next client to serv is "i1" as determined from
    i1 = (prev_location + i) % max_query_old;
  The client that actually was served however was "i" instead of "i1".
  If the connection of "i" was not yet ready for "write" state set after
  getting the entropy, it might block.
  This problem has not been reported by any other user, though it might also
  have occured at other sites.
  Depending on the internal sorting of sockets by fd/slot (number increasing
  in the sequence of accepted connections, closed connections are
  removed from the list), connections might appear locked.
  The entropy served was not provided in the sequence intended. The
  entropy bytes returned via internal buffer however were consistent
  with the connection served (buffer[i]) was filled correctly for
  connection[i]. The problem therefore has no impact on the quality
  of seeding.
-- snap --

It appears that the latest version of prngd for sunos is 0.9.25 up 
through solaris 9.

The sourceforge for prngd (http://sourceforge.net/projects/prngd/) is 
alive but does not appear to be active. I'm going to contact them, has 
anybody else found a eliable solution or a newer version of prngd for 
sunos 5.8 that does not have this issue.

We have not received any response from the prngd group on sourceforge.

Thank you in advance for any/all help,
David

More information about the openssh-unix-dev mailing list